Creating Azure Resources for On-prem Environment
This topic is intended for the Windchill on-prem System Administrator.
Overview
The Windchill AI Assistant plugin requires several Microsoft Azure services to deliver AI‑powered capabilities to Windchill users in an on‑premises environment.
The plugin uses the following Azure services:
• Azure AI Search—For document indexing and search
• Azure AI Foundry—For chat completion and document vectorization
• Azure Storage—For temporary ingestion of documents
• Azure Entra ID—For service principal management and role-based access control (RBAC)
• Azure Deployment Scripts—For automated infrastructure provisioning
All required Azure services are defined and deployed using Infrastructure as Code (IaC) through Azure Resource Manager (ARM) templates.
The plugin authenticates with Azure AI Search, Azure AI Foundry, and Azure Storage endpoints using Azure Entra ID service principals. Authorization is enforced through role‑based access control (RBAC).
Azure AI Search, Azure AI Foundry, and Azure Storage accounts are deployed with public endpoints, protected by configurable, IP‑based firewall rules. Network access can be restricted to approved client IP ranges.
It is the responsibility of the deployment owner to review and configure these network access controls in accordance with their organization’s security and compliance requirements.
Prerequisites
Before you deploy Azure resources for the Windchill AI Assistant plugin, ensure the following prerequisites are met:
• Python 3.10.0 or later is installed on the system used for deployment.
• You have downloaded the AI_Assistant_Plugin_Azure_IaC.zip file, which is available at the bottom of the Windchill AI Assistant Configuration window.
◦ In Plugin Manager, right‑click Windchill AI Assistant and select Configure Plugin.
 | Azure resources created using this procedure must be used exclusively for the Windchill AI Assistant plugin. |
Procedure
Follow these steps to create the required Azure resources:
Step No. | Task |
|---|---|
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 |
Step 1: Install Azure CLI and Verify Python
Install the Azure Command-Line Interface (CLI) and ensure that Python 3.10 or later is available on the deployment system.
• The az command is used to communicate with Azure during deployment.
• The python3 command is used to run the deployment helper script.
For installation instructions specific to your operating system, refer to the official Azure Command-Line Interface (CLI) documentation.
Step 2: Create an Azure Resource Group
Create a new Azure resource group to host the Windchill AI Assistant resources. For more information, see Manage Resource Groups.
 | The Azure Resource Manager (ARM) template is deployed into this resource group. |
Step 3: Create a Service Principal
Create an Azure Entra ID service principal for the plugin’s authentication to Azure resources.
1. Open a terminal or command prompt on a system where Azure CLI is installed.
2. Log in using an identity that can create Entra ID service principals.
3. Run the following command to create a new service principal:
az ad sp create-for-rbac \
--display-name "<Display name>"
--display-name "<Display name>"
In <Display name>, specify the required display name. For example, wcaiassistant-onprem-sp.
The command outputs values similar to the following:
{
.."appId": "<client-id>",
.."password": "<client-secret>",
.."tenant": "<tenant-id>"
}
.."appId": "<client-id>",
.."password": "<client-secret>",
.."tenant": "<tenant-id>"
}
Securely store the client ID, client secret, and tenant ID.
These values are required later during plugin configuration.
Obtain the Service Principal Object ID by executing the following command:
az ad sp show --id <client-id> --query id -o tsv
The object ID will be required later during IaC configuration.
Step 4: Sign In Using Azure CLI and Verify Required Roles
1. Open a terminal or command prompt where Azure CLI is installed.
3. Ensure that the signed‑in user or service principal has the Contributor role or, at a minimum, the following roles assigned in the resource group:
◦ Cognitive Services Contributor
◦ Cognitive Services OpenAI User
◦ Search Service Contributor
◦ Storage Account Contributor
◦ A custom role that allows the following actions:
▪ Microsoft.Resources/deploymentScripts/read
▪ Microsoft.Resources/deploymentScripts/write
4. Ensure that the signed‑in user or service principal is assigned the Role‑Based Access Control administrator role for the resource group.
Step 5: Prepare the ARM Template and Parameter File
1. Copy the following files to a local working directory:
◦ wcaia.json (ARM template file)
◦ wcaia.parameters.json (parameter file)
◦ deploy-wcaia.py (deployment helper script)
2. Edit the wcaia.parameters.json file and provide values for the required parameters.
 | Do not populate the token‑related parameters (for example, management_token, management_token_expires_on, search_token, and search_token_expires_on). These values are automatically set by the deployment helper script. |
a. Specify the location from the following supported Azure regions:
▪ australiaeast
▪ brazilsouth
▪ canadaeast
▪ eastus
▪ eastus2
▪ francecentral
▪ germanywestcentral
▪ italynorth
▪ japaneast
▪ koreacentral
▪ northcentralus
▪ polandcentral
▪ southafricanorth
▪ southcentralus
▪ spaincentral
▪ swedencentral
▪ switzerlandnorth
▪ uaenorth
▪ uksouth
▪ westus
▪ westus3
| | Review Microsoft’s Azure AI Search supported regions documentation for region-specific limitations, such as: • Capacity constraints that may cause deployment failures. • Reduced storage limits (for example, 25 GB instead of 160 GB), which may prevent indexing of some data. • Lack of availability zones, which may reduce availability guarantees. |
b. (Optionally) Specify resource tags in common_tags.
If your organization enforces a tagging policy, missing required tags can cause a RequestDisallowedByPolicy error during resource creation.
c. Set service_principal_id to the object ID (also called the Principal ID) of the service principal created in Step 3: Create a New Service Principal.
| | This value is not the service principal client ID. The object ID can be retrieved from the client ID by running the following command: az ad sp show --id <client-id> --query id -o tsv |
d. Populate allowed_ips with a list of IPv4 addresses or CIDR ranges that can access the Azure resources.
▪ Add the IP addresses for all hosts running the plugin.
▪ If you leave the list empty ([]), the firewall is disabled.
| | Azure resources are exposed on public internet address ranges. For hosts on internal networks (behind NAT), specify the public egress (NAT gateway) IP address or CIDR range. |
e. Set ai_search_partition_count to the required number of Azure AI Search Standard S1 partitions. For more information, see Estimating Number of AI Search Partitions.
f. (Optional) Set the text_embedding_capacity parameter to a value lower than the default value of 4000 capacity units (4 million tokens per minute) only if sufficient capacity for the text embedding model is not available in the deployed AI Foundry region.
| | Indexing speed depends on the available text embedding capacity. If the configured value exceeds the available limits, the deployment helper script reports the actual capacity that is available. |
g. (Optional) By default, the Azure Storage Account redundancy configuration storage_sku_name is set to Standard_LRS (locally redundant storage). You can change this value to a different redundancy level in regions where additional options are supported.
h. (Optional) Specify an index name, or retain the default value (default) in the index_names list.
| | Multiple Windchill instances can share the same Azure resources (AI Foundry, Azure AI Search, and Storage Account). However, each instance must use a unique index. You can extend the index_names list over time to add additional indexes to the same deployment. Additional indexes may be required when rehosting or reindexing. For more information, see Rehosting Servers for On-prem Environment with AI Assistant Plugin Installed and Reindexing. |
| | Store all credentials securely in your corporate security vault to ensure reliable access when required. |
Example parameter file:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"management_token": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"management_token_expires_on": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"search_token": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"search_token_expires_on": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"location": {
"value": "swedencentral"
},
"common_tags": {
"value": {
"environment": "QA",
"purpose": "Windchill AI Assistant"
}
},
"service_principal_id": {
"value": "00000000-0000-0000-0000-000000000000"
},
"allowed_ips": {
"value": []
},
"ai_search_partition_count": {
"value": 1
},
"text_embedding_capacity": {
"value": 4000
},
"storage_sku_name": {
"value": “Standard_LRS”
} }
}
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"management_token": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"management_token_expires_on": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"search_token": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"search_token_expires_on": {
"value": "SET_BY_PYTHON_SCRIPT"
},
"location": {
"value": "swedencentral"
},
"common_tags": {
"value": {
"environment": "QA",
"purpose": "Windchill AI Assistant"
}
},
"service_principal_id": {
"value": "00000000-0000-0000-0000-000000000000"
},
"allowed_ips": {
"value": []
},
"ai_search_partition_count": {
"value": 1
},
"text_embedding_capacity": {
"value": 4000
},
"storage_sku_name": {
"value": “Standard_LRS”
} }
}
Step 6: Define a Unique Deployment Name
Define a globally unique deployment name. The deployment name is used as a prefix for Azure resource names.
The deployment name must meet the following requirements:
• Contains only lowercase letters and numbers.
• Does not exceed 20 characters.
Examples:
• acmeaidev
• companywcaiprod
• ai2025subscracme
Step 7: Create Azure Resources
Run the following command from the directory containing the ARM template files and deployment helper script to create the required Azure resources:
python3 deploy-wcaia.py
--resource-group ${RESOURCE_GROUP}
--deployment-name ${DEPLOYMENT_NAME}
--resource-group ${RESOURCE_GROUP}
--deployment-name ${DEPLOYMENT_NAME}
Where:
• ${RESOURCE_GROUP} is the name of the Azure resource group.
• ${DEPLOYMENT_NAME} is the unique template deployment name.
Configuration Output from the Deployment Helper Script
After a successful deployment, the deployment helper script generates the configuration values required to connect the Windchill AI Assistant plugin to its Azure services. These values must be entered during the plugin configuration.
The deployment helper script provides configuration values for the following Azure services used by the Windchill AI Assistant:
• Azure AI Search
• Azure OpenAI
• Azure Storage
Use the values generated by the script when configuring the plugin. For configuration steps, see Configuring the Windchill AI Assistant Plugin.
You can also use the deployment helper script to retrieve configuration values from a previously completed deployment by running the script with the --skip-deployment command‑line option.
| | • The client secret for the Azure service principal is available only at the time of creation. If the client secret is no longer available, you must create a new client secret in the Azure portal before continuing with the plugin configuration. • In rare cases, transient race conditions internal to the Azure deployment process may cause the script to stop and report an error. If this occurs, clean up any partial installations and then rerun the deployment script. |
The following example shows a typical configuration output generated by the deployment helper script. Actual values will vary based on your environment.
====================================
Windchill AI Assistant Configuration
Azure AI Search
Endpoint
https://acmedev-ai-search.search.windows.net
Index Name -- choose one of
default
another
Authentication Mode -- take from shared authentication configuration below
Azure OpenAI
Endpoint
https://acmedev-ai-foundry.cognitiveservices.azure.com/
Deployment
gpt-5-mini
Authentication Mode -- take from shared authentication configuration below
Azure Storage
Account Name
acmedevdti
Container Name -- choose the one matching the index name
default
another
Authentication Mode -- take from shared authentication configuration below
-------------------------------------
(shared authentication configuration)
Authentication Mode
Service Principal
Tenant ID
12a3b45c-1234-1a2b-ab12-1a234b5cd6ab
Client ID
12a3bc45-123d-12f3-1234-ab100126661b
Client Secret -- Only accessible after creation. Create new secret if needed.
-- Service Principal (App Registration) name: aiassistant-testapp
-- Service Principal (App Registration) ID: ab1c23d4-1abc-1a23-9f28-a12ba123cd12
-- Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Credentials/appId/12a3bc45-678d-11a1-1322-ab100926661b
Windchill AI Assistant Configuration
Azure AI Search
Endpoint
https://acmedev-ai-search.search.windows.net
Index Name -- choose one of
default
another
Authentication Mode -- take from shared authentication configuration below
Azure OpenAI
Endpoint
https://acmedev-ai-foundry.cognitiveservices.azure.com/
Deployment
gpt-5-mini
Authentication Mode -- take from shared authentication configuration below
Azure Storage
Account Name
acmedevdti
Container Name -- choose the one matching the index name
default
another
Authentication Mode -- take from shared authentication configuration below
-------------------------------------
(shared authentication configuration)
Authentication Mode
Service Principal
Tenant ID
12a3b45c-1234-1a2b-ab12-1a234b5cd6ab
Client ID
12a3bc45-123d-12f3-1234-ab100126661b
Client Secret -- Only accessible after creation. Create new secret if needed.
-- Service Principal (App Registration) name: aiassistant-testapp
-- Service Principal (App Registration) ID: ab1c23d4-1abc-1a23-9f28-a12ba123cd12
-- Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Credentials/appId/12a3bc45-678d-11a1-1322-ab100926661b